Despite widespread denials, the tech world is rocking in the wake of a Bloomberg article alleging that Chinese individuals had smuggled tiny chips into datacenter servers deployed in the US.

The article claimed that so-called "spy chips" the size of a pencil tip had been placed on motherboards made by San Jose-based Supermicro, a major global computer manufacturer whose microchips are assembled in Chinese factories, and used to infiltrate the operations of 30 million US companies including Apple and Amazon.

The Bloomberg piece also alleged that the chips could compromise data on the affected servers, allowing China to spy on some of the world’s most powerful tech companies. While having limited direct capabilities, the chips potentially could allow China-based operatives remotely to alter the function of a device to access information.

Some of the implicated servers were used to power Apple’s iCloud and the Amazon Web Services cloud.

Innocence-Claims Invite Suspicion

Apple, Amazon, Supermicro and China’s Ministry of Foreign Affairs have all strenuously denied being affected. The strength of their protests have led some market watchers to speculate that there must be something to hide, while others have picked holes in Bloomberg’s reporting and lack of named sources.

The news service insists that information was based on more than a dozen sources with first-hand knowledge of the situation.

Amazon claims the chips were discovered during due diligence for its 2015 acquisition of Elemental Systems, a company that held a range of US government contracts, and reported them to the FBI. Apple followed suit, and also severed ties with Supermicro in 2016.

However, both companies have denied finding any malicious chips or having any contact with the FBI on the matter.

In the strongest denial so far, Apple’s president of information security, George Stathakopoulos, sent a letter to Congress on October 9 insisting that “Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server. We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation.”

The UK’s National Cyber Security Center and the US Homeland Security department have also stated that they had “no reason to doubt” statements by Apple, Amazon and Supermicro denying the claims their hardware had been hacked.

Covert Surveillance Concerns Deepen

In follow-up reporting published the same day, Bloomberg cited “fresh evidence of tampering in China of critical technology components bound for the US.” It said that an unspecified major US telecom company had found that hardware used in its datacenters had been “manipulated” by an implant designed to conduct covert surveillance and exfiltrate corporate or government secrets.

In this case, an implant was found by a security expert on an Ethernet connector affiliated with a motherboard developed by Supermicro.

Yossi Appleboum, chief executive of Sepio Systems, which was conducting security work for the telecoms company (which could not be named by Appleboum due to a binding non-disclosure agreement) said that having inspected the affected hardware, he determined that the telecom company’s server had been modified at the factory where it was manufactured, in Guangzhou, China.

While this is a different set of circumstances from the alleged datacenter server hardware hack and has not been linked to Apple or Amazon, the increased level of detail in the latter report has given it more credence, augmenting concerns that if US telecoms networks have been compromised, a serious breach has no doubt occurred.

Spy Chip Furor Could Damage Global Trade

The Taiwanese military’s cyber warfare chief has warned that the alleged datacenter server infiltration could disrupt the entire global technology supply chain: “If this all gets dragged out into daylight, we will see a commercial storm,” said Major General Ma Ying-han.

Taiwanese industry executives have said that the motherboards for Supermicro’s servers are made in the Chinese factories of Taiwanese contract manufacturers, including an affiliate of ASE, the world’s largest chip packaging company, and Wistron.

The ongoing trade war between China and the US appears to have negatively impacted exports from Asian countries, with the latest Nikkei ASEAN Purchasing Managers’ Index, compiled by IHS Markit, finding that the manufacturing upturn in members of the Association of Southeast Asian Nations lost momentum in September.

The region saw slower growth in both new orders and output at the end of the third quarter.

If the hardware hacks turn out to be true, an infiltration of Supermicro will have wide-reaching consequences on the wider technology industry, as well as the manner in which companies approach their supply chains.

In the words of one former US official: “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”

Some name

Cormac at VitalBriefing is a full stack web platform developer and programmer, for many years building and running systems, applications and products in data processing, disaster recovery, virtualization and programming. In his own words, he's “old enough to have tackled the Y2K bug but young enough to keep on top of the cutting-edge of cyber and data security.” He also works with myriad programming and OS issues, as well as software and mobile development for apps and web.